Comments

Latest Posts

Azure File Shares Integrating With Local AD DS & Configure Access Via Public or Private Connections (VPN)

It is a common use case to integrate your on-prem AD DS with your Azure Storage File Shares. This post summarize the necessary steps to simplify the procedures from Microsoft documentation in the following:

 Follow the steps below to set up Azure Files for AD DS Authentication:

  1. Part one: enable AD DS authentication on your storage account

  2. Part two: assign access permissions for a share to the Azure AD identity (a user, group, or service principal) that is in sync with the target AD identity

  3. Part three: configure Windows ACLs over SMB for directories and files

  4. Part four: mount an Azure file share to a VM joined to your AD DS

  5. Update the password of your storage account identity in AD DS

The following diagram illustrates the end-to-end workflow for enabling Azure AD authentication over SMB for Azure file shares.

Files AD workflow diagram





My Lab Diagram




Pre-requisites

1 AD DS environment is ready and sync it to Azure AD with Azure AD Connect.

2 Azure storage account and file share created.

3 Network connection is ready for your client machine, which means it can reach out to your Local AD DC and reach out to your Azure File Share (port 445). If not, you might need two VPNs, one vpn to local AD DC, and one vpn to Azure File Share (Private End Point)


Quick Steps

1 Download and unzip the AzFilesHybrid module (GA module: v0.2.0+) 

For example, unzip it to c:\temp\azure folder

2 Install and execute the module. It will take a while to done during installing packages: 

.\CopyToPSPath.ps1
Import-Module -Name AzFilesHybrid

Note: It will take a file to have import-module command completed. 

3 Connect to Azure Account

Connect-AzAccount

4 Run Join-AzStorageAccount Powershell command 

Join-AzStorageAccount `
        -ResourceGroupName rg-FileShare-Test-EastUs-1 `
         -StorageAccountName netsecfs `
        -DomainAccountType ComputerAccount `
        -OrganizationalUnitDistinguishedName "OU=StorageAccounts,DC=51sec,DC=corp"



PS C:\Windows\system32> cd C:\temp\jy\
PS C:\temp\jy> cd .\AzFilesHybrid\
PS C:\temp\jy\AzFilesHybrid> Import-Module -Name AzFilesHybrid
Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\Users\jon\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.4.0\AzFilesHybrid.psm1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
Install Azure PowerShell modules
This module requires Azure PowerShell ("Az" module) 2.8.0+ and Az.Storage 3.7.0+. This can be installed now if you are
running as an administrator.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
PS C:\temp\jy\AzFilesHybrid>
PS C:\temp\jy\AzFilesHybrid>
PS C:\temp\jy\AzFilesHybrid>
PS C:\temp\jy\AzFilesHybrid>
PS C:\temp\jy\AzFilesHybrid> Connect-AzAccount
Account                SubscriptionName TenantId                             Environment
-------                ---------------- --------                             -----------
[email protected] Pay-As-You-Go    00771de-ce1-4f6-bc3-b9fecde7b AzureCloud



PS C:\temp\jy\AzFilesHybrid> Join-AzStorageAccount `
>>         -ResourceGroupName rg-FileShare-Test-EastUs-1 `
>>         -StorageAccountName netsecfs `
>>         -DomainAccountType ComputerAccount `
>>         -OrganizationalUnitDistinguishedName "OU=StorageAccounts,DC=corp,DC=51sec,DC=org"

StorageAccountName ResourceGroupName          PrimaryLocation SkuName        Kind      AccessTier CreationTime
------------------ -----------------          --------------- -------        ----      ---------- ------------
netsecfileshares      rg-fileshare-test-eastus-1 eastus          Standard_RAGRS StorageV2 Hot        3/26/2022 11:20:55 PM

PS C:\temp\jy\AzFilesHybrid>
PS C:\temp\jy\AzFilesHybrid>
PS C:\temp\jy\AzFilesHybrid>
PS C:\temp\jy\AzFilesHybrid>
PS C:\temp\jy\AzFilesHybrid> Debug-AzStorageAccountAuth -StorageAccountName netsecfileshares -ResourceGroupName rg-FileShar
e-Test-EastUs-1 -Verbose
VERBOSE: CheckPort445Connectivity - START
VERBOSE: Found storage Account 'netsecfileshares' in Resource Group 'rg-FileShare-Test-EastUs-1'
VERBOSE: Executing 'Test-NetConnection -ComputerName netsecfileshares.file.core.windows.net -Port 445'
VERBOSE: CheckPort445Connectivity - SUCCESS
VERBOSE: CheckDomainJoined - START
VERBOSE: Perform operation 'Enumerate CimInstances' with following parameters, ''namespaceName' =
root\cimv2,'className' = win32_computersystem'.
VERBOSE: Operation 'Enumerate CimInstances' complete.
VERBOSE: Session is running in a domain-joined environment.
VERBOSE: CheckDomainJoined - SUCCESS
VERBOSE: CheckADObject - START
VERBOSE: Perform operation 'Enumerate CimInstances' with following parameters, ''namespaceName' =
root\cimv2,'className' = win32_computersystem'.
VERBOSE: Operation 'Enumerate CimInstances' complete.
VERBOSE: Session is running in a domain-joined environment.
VERBOSE: Found storage Account 'netsecfileshares' in Resource Group 'rg-FileShare-Test-EastUs-1'
VERBOSE: Looking for an object with SID 'S-1-5-21-2488401269-1895120637-1421044794-10609' in domain
'corp.netsec.com' for storage account 'netsecfileshares'
VERBOSE: Found AD object: CN=netsecfileshares,OU=StorageAccountsOU,DC=corp,DC=netseccoustics,DC=com of class computer.
VERBOSE: Found storage Account 'netsecfileshares' in Resource Group 'rg-FileShare-Test-EastUs-1'
VERBOSE: Generated service principal name of cifs/netsecfileshares.file.core.windows.net
VERBOSE: CheckADObject - SUCCESS
VERBOSE: CheckGetKerberosTicket - START
VERBOSE: Found storage Account 'netsecfileshares' in Resource Group 'rg-FileShare-Test-EastUs-1'
VERBOSE: Generated service principal name of cifs/netsecfileshares.file.core.windows.net
VERBOSE: Running command 'klist.exe get cifs/netsecfileshares.file.core.windows.net'
VERBOSE:
VERBOSE: Current LogonId is 0:0xb90872
VERBOSE: A ticket to cifs/netsecfileshares.file.core.windows.net has been retrieved successfully.
VERBOSE:
VERBOSE: Cached Tickets: (2)
VERBOSE:
VERBOSE: #0> Client: jon @ CORP.netsec.com
VERBOSE:  Server: krbtgt/CORP.netsec.com @ CORP.netsec.com
VERBOSE:  KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
VERBOSE:  Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
VERBOSE:  Start Time: 3/26/2022 19:25:37 (local)
VERBOSE:  End Time:   3/27/2022 5:25:37 (local)
VERBOSE:  Renew Time: 4/2/2022 19:25:37 (local)
VERBOSE:  Session Key Type: AES-256-CTS-HMAC-SHA1-96
VERBOSE:  Cache Flags: 0x1 -> PRIMARY
VERBOSE:  Kdc Called: netsecDC04
VERBOSE:
VERBOSE: #1> Client: jon @ CORP.netsec.com
VERBOSE:  Server: cifs/netsecfileshares.file.core.windows.net @ CORP.netsec.com
VERBOSE:  KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
VERBOSE:  Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
VERBOSE:  Start Time: 3/26/2022 19:25:37 (local)
VERBOSE:  End Time:   3/27/2022 5:25:37 (local)
VERBOSE:  Renew Time: 4/2/2022 19:25:37 (local)
VERBOSE:  Session Key Type: RSADSI RC4-HMAC(NT)
VERBOSE:  Cache Flags: 0
VERBOSE:  Kdc Called: netsecDC04
VERBOSE: Azure Files Kerberos Ticket Health Check Summary:
VERBOSE: 1 Kerberos service tickets to Azure storage accounts were detected.
VERBOSE: Ticket #1 : Healthy
VERBOSE:
Client                     : jon @ CORP.netsec.com
Server                     : cifs/netsecfileshares.file.core.windows.net @ CORP.netsec.com
KerbTicket Encryption Type : RSADSI RC4-HMAC(NT)
Ticket Flags               : 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time                 : 3/26/2022 19:25:37 (local)
End Time                   : 3/27/2022 5:25:37 (local)
Renew Time                 : 4/2/2022 19:25:37 (local)
Session Key Type           : RSADSI RC4-HMAC(NT)
Azure Files Health Status  : Healthy




Client                     : jon @ CORP.netsec.com
Server                     : cifs/netsecfileshares.file.core.windows.net @ CORP.netsec.com
KerbTicket Encryption Type : RSADSI RC4-HMAC(NT)
Ticket Flags               : 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time                 : 3/26/2022 19:25:37 (local)
End Time                   : 3/27/2022 5:25:37 (local)
Renew Time                 : 4/2/2022 19:25:37 (local)
Session Key Type           : RSADSI RC4-HMAC(NT)
Azure Files Health Status  : Healthy
VERBOSE: CheckGetKerberosTicket - SUCCESS
VERBOSE: CheckADObjectPasswordIsCorrect - START
VERBOSE: Perform operation 'Enumerate CimInstances' with following parameters, ''namespaceName' =
root\cimv2,'className' = win32_computersystem'.
VERBOSE: Operation 'Enumerate CimInstances' complete.
VERBOSE: Session is running in a domain-joined environment.
VERBOSE: Found storage Account 'netsecfileshares' in Resource Group 'rg-FileShare-Test-EastUs-1'
VERBOSE: Found storage Account 'netsecfileshares' in Resource Group 'rg-FileShare-Test-EastUs-1'
VERBOSE: Perform operation 'Enumerate CimInstances' with following parameters, ''namespaceName' =
root\cimv2,'className' = win32_computersystem'.
VERBOSE: Operation 'Enumerate CimInstances' complete.
VERBOSE: Session is running in a domain-joined environment.
VERBOSE: Looking for an object with SID 'S-1-5-21-2488401269-1895120637-1421044794-10609' in domain
'corp.netsec.com' for storage account 'netsecfileshares'
VERBOSE: Found AD object: CN=netsecfileshares,OU=StorageAccountsOU,DC=corp,DC=netseccoustics,DC=com of class computer.
VERBOSE: Found that kerb1 matches password for netsecfileshares in AD.
ResourceGroupName  : rg-FileShare-Test-EastUs-1
StorageAccountName : netsecfileshares
KerbKeyName        :
KeyMatches         : False
ResourceGroupName  : rg-FileShare-Test-EastUs-1
StorageAccountName : netsecfileshares
KerbKeyName        : kerb1
KeyMatches         : True
ResourceGroupName  : rg-FileShare-Test-EastUs-1
StorageAccountName : netsecfileshares
KerbKeyName        : kerb2
KeyMatches         : False
VERBOSE: CheckADObjectPasswordIsCorrect - SUCCESS
VERBOSE: CheckSidHasAadUser - START
VERBOSE: Look up user jon in domain corp.netsec.com
VERBOSE: User  in domain  has SID = S-1-5-21-2488401269-1895120637-1421044794-9150
Install AzureAD PowerShell module
This cmdlet requires the Azure AD PowerShell module. This can be automatically installed now if you are running in an
elevated sessions.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
VERBOSE: Removing the imported "Find-Command" function.
VERBOSE: Removing the imported "Find-DscResource" function.
VERBOSE: Removing the imported "Find-Module" function.
VERBOSE: Removing the imported "Find-RoleCapability" function.
VERBOSE: Removing the imported "Find-Script" function.
VERBOSE: Removing the imported "Get-CredsFromCredentialProvider" function.
VERBOSE: Removing the imported "Get-InstalledModule" function.
VERBOSE: Removing the imported "Get-InstalledScript" function.
VERBOSE: Removing the imported "Get-PSRepository" function.
VERBOSE: Removing the imported "Install-Module" function.
VERBOSE: Removing the imported "Install-Script" function.
VERBOSE: Removing the imported "New-ScriptFileInfo" function.
VERBOSE: Removing the imported "Publish-Module" function.
VERBOSE: Removing the imported "Publish-Script" function.
VERBOSE: Removing the imported "Register-PSRepository" function.
VERBOSE: Removing the imported "Save-Module" function.
VERBOSE: Removing the imported "Save-Script" function.
VERBOSE: Removing the imported "Set-PSRepository" function.
VERBOSE: Removing the imported "Test-ScriptFileInfo" function.
VERBOSE: Removing the imported "Uninstall-Module" function.
VERBOSE: Removing the imported "Uninstall-Script" function.
VERBOSE: Removing the imported "Unregister-PSRepository" function.
VERBOSE: Removing the imported "Update-Module" function.
VERBOSE: Removing the imported "Update-ModuleManifest" function.
VERBOSE: Removing the imported "Update-Script" function.
VERBOSE: Removing the imported "Update-ScriptFileInfo" function.
VERBOSE: Removing the imported "PSGetPath" variable.
VERBOSE: Removing the imported "fimo" alias.
VERBOSE: Removing the imported "inmo" alias.
VERBOSE: Removing the imported "pumo" alias.
VERBOSE: Removing the imported "upmo" alias.
VERBOSE: Loading module from path 'C:\Program Files\WindowsPowerShell\Modules\AzureAD\2.0.2.140\AzureAD.psd1'.
VERBOSE: Loading 'FormatsToProcess' from path 'C:\Program
Files\WindowsPowerShell\Modules\AzureAD\2.0.2.140\AzureAD.Format.ps1xml'.
VERBOSE: Populating RepositorySourceLocation property for module AzureAD.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\AzureAD\2.0.2.140\Microsoft.Open.AzureAD16.Graph.PowerShell.dll'.
VERBOSE: Exporting cmdlet 'Add-AzureADApplicationOwner'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplication'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplicationExtensionProperty'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplicationOwner'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplicationServiceEndpoint'.
VERBOSE: Exporting cmdlet 'Get-AzureADDeletedApplication'.
VERBOSE: Exporting cmdlet 'Remove-AzureADDeletedApplication'.
VERBOSE: Exporting cmdlet 'New-AzureADApplication'.
VERBOSE: Exporting cmdlet 'New-AzureADApplicationExtensionProperty'.
VERBOSE: Exporting cmdlet 'Remove-AzureADApplication'.
VERBOSE: Exporting cmdlet 'Remove-AzureADApplicationExtensionProperty'.
VERBOSE: Exporting cmdlet 'Remove-AzureADApplicationOwner'.
VERBOSE: Exporting cmdlet 'Restore-AzureADDeletedApplication'.
VERBOSE: Exporting cmdlet 'Set-AzureADApplication'.
VERBOSE: Exporting cmdlet 'Get-AzureADContact'.
VERBOSE: Exporting cmdlet 'Get-AzureADContactDirectReport'.
VERBOSE: Exporting cmdlet 'Get-AzureADContactManager'.
VERBOSE: Exporting cmdlet 'Get-AzureADContactMembership'.
VERBOSE: Exporting cmdlet 'Remove-AzureADContact'.
VERBOSE: Exporting cmdlet 'Remove-AzureADContactManager'.
VERBOSE: Exporting cmdlet 'Select-AzureADGroupIdsContactIsMemberOf'.
VERBOSE: Exporting cmdlet 'Get-AzureADContract'.
VERBOSE: Exporting cmdlet 'Add-AzureADDeviceRegisteredOwner'.
VERBOSE: Exporting cmdlet 'Add-AzureADDeviceRegisteredUser'.
VERBOSE: Exporting cmdlet 'Remove-AzureADDeviceRegisteredOwner'.
VERBOSE: Exporting cmdlet 'Get-AzureADDevice'.
VERBOSE: Exporting cmdlet 'Get-AzureADDeviceRegisteredOwner'.
VERBOSE: Exporting cmdlet 'Get-AzureADDeviceRegisteredUser'.
VERBOSE: Exporting cmdlet 'New-AzureADDevice'.
VERBOSE: Exporting cmdlet 'Remove-AzureADDevice'.
VERBOSE: Exporting cmdlet 'Remove-AzureADDeviceRegisteredUser'.
VERBOSE: Exporting cmdlet 'Set-AzureADDevice'.
VERBOSE: Exporting cmdlet 'Get-AzureADDeviceConfiguration'.
VERBOSE: Exporting cmdlet 'Get-AzureADObjectByObjectId'.
VERBOSE: Exporting cmdlet 'Enable-AzureADDirectoryRole'.
VERBOSE: Exporting cmdlet 'Add-AzureADDirectoryRoleMember'.
VERBOSE: Exporting cmdlet 'Get-AzureADDirectoryRoleMember'.
VERBOSE: Exporting cmdlet 'Get-AzureADDirectoryRole'.
VERBOSE: Exporting cmdlet 'Remove-AzureADDirectoryRoleMember'.
VERBOSE: Exporting cmdlet 'Get-AzureADDirectoryRoleTemplate'.
VERBOSE: Exporting cmdlet 'Confirm-AzureADDomain'.
VERBOSE: Exporting cmdlet 'Get-CrossCloudVerificationCode'.
VERBOSE: Exporting cmdlet 'Get-AzureADDomain'.
VERBOSE: Exporting cmdlet 'Get-AzureADDomainNameReference'.
VERBOSE: Exporting cmdlet 'Get-AzureADDomainServiceConfigurationRecord'.
VERBOSE: Exporting cmdlet 'Get-AzureADDomainVerificationDnsRecord'.
VERBOSE: Exporting cmdlet 'New-AzureADDomain'.
VERBOSE: Exporting cmdlet 'Remove-AzureADDomain'.
VERBOSE: Exporting cmdlet 'Set-AzureADDomain'.
VERBOSE: Exporting cmdlet 'Get-AzureADExtensionProperty'.
VERBOSE: Exporting cmdlet 'Add-AzureADGroupMember'.
VERBOSE: Exporting cmdlet 'Add-AzureADGroupOwner'.
VERBOSE: Exporting cmdlet 'Get-AzureADGroup'.
VERBOSE: Exporting cmdlet 'Get-AzureADGroupAppRoleAssignment'.
VERBOSE: Exporting cmdlet 'Get-AzureADGroupMember'.
VERBOSE: Exporting cmdlet 'Get-AzureADGroupOwner'.
VERBOSE: Exporting cmdlet 'New-AzureADGroup'.
VERBOSE: Exporting cmdlet 'New-AzureADGroupAppRoleAssignment'.
VERBOSE: Exporting cmdlet 'Remove-AzureADGroup'.
VERBOSE: Exporting cmdlet 'Remove-AzureADGroupAppRoleAssignment'.
VERBOSE: Exporting cmdlet 'Remove-AzureADGroupMember'.
VERBOSE: Exporting cmdlet 'Remove-AzureADGroupOwner'.
VERBOSE: Exporting cmdlet 'Select-AzureADGroupIdsGroupIsMemberOf'.
VERBOSE: Exporting cmdlet 'Set-AzureADGroup'.
VERBOSE: Exporting cmdlet 'Get-AzureADOAuth2PermissionGrant'.
VERBOSE: Exporting cmdlet 'Remove-AzureADOAuth2PermissionGrant'.
VERBOSE: Exporting cmdlet 'Add-AzureADServicePrincipalOwner'.
VERBOSE: Exporting cmdlet 'Get-AzureADServicePrincipal'.
VERBOSE: Exporting cmdlet 'Get-AzureADServiceAppRoleAssignedTo'.
VERBOSE: Exporting cmdlet 'Get-AzureADServiceAppRoleAssignment'.
VERBOSE: Exporting cmdlet 'Get-AzureADServicePrincipalCreatedObject'.
VERBOSE: Exporting cmdlet 'Get-AzureADServicePrincipalMembership'.
VERBOSE: Exporting cmdlet 'Get-AzureADServicePrincipalOAuth2PermissionGrant'.
VERBOSE: Exporting cmdlet 'Get-AzureADServicePrincipalOwnedObject'.
VERBOSE: Exporting cmdlet 'Get-AzureADServicePrincipalOwner'.
VERBOSE: Exporting cmdlet 'New-AzureADServicePrincipal'.
VERBOSE: Exporting cmdlet 'New-AzureADServiceAppRoleAssignment'.
VERBOSE: Exporting cmdlet 'Remove-AzureADServicePrincipal'.
VERBOSE: Exporting cmdlet 'Remove-AzureADServiceAppRoleAssignment'.
VERBOSE: Exporting cmdlet 'Remove-AzureADServicePrincipalOwner'.
VERBOSE: Exporting cmdlet 'Select-AzureADGroupIdsServicePrincipalIsMemberOf'.
VERBOSE: Exporting cmdlet 'Set-AzureADServicePrincipal'.
VERBOSE: Exporting cmdlet 'Revoke-AzureADSignedInUserAllRefreshToken'.
VERBOSE: Exporting cmdlet 'Get-AzureADSubscribedSku'.
VERBOSE: Exporting cmdlet 'Get-AzureADTenantDetail'.
VERBOSE: Exporting cmdlet 'Set-AzureADTenantDetail'.
VERBOSE: Exporting cmdlet 'Get-AzureADUser'.
VERBOSE: Exporting cmdlet 'Get-AzureADUserAppRoleAssignment'.
VERBOSE: Exporting cmdlet 'Get-AzureADUserCreatedObject'.
VERBOSE: Exporting cmdlet 'Get-AzureADUserDirectReport'.
VERBOSE: Exporting cmdlet 'Get-AzureADUserLicenseDetail'.
VERBOSE: Exporting cmdlet 'Get-AzureADUserManager'.
VERBOSE: Exporting cmdlet 'Get-AzureADUserMembership'.
VERBOSE: Exporting cmdlet 'Get-AzureADUserOAuth2PermissionGrant'.
VERBOSE: Exporting cmdlet 'Get-AzureADUserOwnedDevice'.
VERBOSE: Exporting cmdlet 'Get-AzureADUserOwnedObject'.
VERBOSE: Exporting cmdlet 'Get-AzureADUserRegisteredDevice'.
VERBOSE: Exporting cmdlet 'New-AzureADUser'.
VERBOSE: Exporting cmdlet 'New-AzureADUserAppRoleAssignment'.
VERBOSE: Exporting cmdlet 'Remove-AzureADUser'.
VERBOSE: Exporting cmdlet 'Remove-AzureADUserAppRoleAssignment'.
VERBOSE: Exporting cmdlet 'Remove-AzureADUserManager'.
VERBOSE: Exporting cmdlet 'Revoke-AzureADUserAllRefreshToken'.
VERBOSE: Exporting cmdlet 'Select-AzureADGroupIdsUserIsMemberOf'.
VERBOSE: Exporting cmdlet 'Set-AzureADUser'.
VERBOSE: Exporting cmdlet 'Set-AzureADUserLicense'.
VERBOSE: Exporting cmdlet 'Set-AzureADUserManager'.
VERBOSE: Exporting cmdlet 'Connect-AzureAD'.
VERBOSE: Exporting cmdlet 'Disconnect-AzureAD'.
VERBOSE: Exporting cmdlet 'Get-AzureADCurrentSessionInfo'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplicationLogo'.
VERBOSE: Exporting cmdlet 'Set-AzureADApplicationLogo'.
VERBOSE: Exporting cmdlet 'Set-AzureADUserPassword'.
VERBOSE: Exporting cmdlet 'Get-AzureADContactThumbnailPhoto'.
VERBOSE: Exporting cmdlet 'Get-AzureADUserThumbnailPhoto'.
VERBOSE: Exporting cmdlet 'Set-AzureADUserThumbnailPhoto'.
VERBOSE: Exporting cmdlet 'New-AzureADApplicationKeyCredential'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplicationKeyCredential'.
VERBOSE: Exporting cmdlet 'Remove-AzureADApplicationKeyCredential'.
VERBOSE: Exporting cmdlet 'New-AzureADApplicationPasswordCredential'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplicationPasswordCredential'.
VERBOSE: Exporting cmdlet 'Remove-AzureADApplicationPasswordCredential'.
VERBOSE: Exporting cmdlet 'Update-AzureADSignedInUserPassword'.
VERBOSE: Exporting cmdlet 'New-AzureADServicePrincipalKeyCredential'.
VERBOSE: Exporting cmdlet 'Get-AzureADServicePrincipalKeyCredential'.
VERBOSE: Exporting cmdlet 'Remove-AzureADServicePrincipalKeyCredential'.
VERBOSE: Exporting cmdlet 'New-AzureADServicePrincipalPasswordCredential'.
VERBOSE: Exporting cmdlet 'Get-AzureADServicePrincipalPasswordCredential'.
VERBOSE: Exporting cmdlet 'Remove-AzureADServicePrincipalPasswordCredential'.
VERBOSE: Exporting cmdlet 'Get-AzureADTrustedCertificateAuthority'.
VERBOSE: Exporting cmdlet 'New-AzureADTrustedCertificateAuthority'.
VERBOSE: Exporting cmdlet 'Set-AzureADTrustedCertificateAuthority'.
VERBOSE: Exporting cmdlet 'Remove-AzureADTrustedCertificateAuthority'.
VERBOSE: Exporting cmdlet 'Get-AzureADUserExtension'.
VERBOSE: Exporting cmdlet 'Set-AzureADUserExtension'.
VERBOSE: Exporting cmdlet 'Remove-AzureADUserExtension'.
VERBOSE: Exporting cmdlet 'Add-AzureADMSApplicationOwner'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSApplication'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSApplicationExtensionProperty'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSApplicationOwner'.
VERBOSE: Exporting cmdlet 'New-AzureADMSApplication'.
VERBOSE: Exporting cmdlet 'New-AzureADMSApplicationExtensionProperty'.
VERBOSE: Exporting cmdlet 'New-AzureADMSApplicationKey'.
VERBOSE: Exporting cmdlet 'New-AzureADMSApplicationPassword'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSApplication'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSApplicationExtensionProperty'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSApplicationKey'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSApplicationOwner'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSApplicationPassword'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSApplication'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSApplicationLogo'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplicationProxyApplication'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplicationProxyApplicationConnectorGroup'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplicationProxyConnector'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplicationProxyConnectorGroupMember'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplicationProxyConnectorMemberOf'.
VERBOSE: Exporting cmdlet 'New-AzureADApplicationProxyConnectorGroup'.
VERBOSE: Exporting cmdlet 'Remove-AzureADApplicationProxyApplicationConnectorGroup'.
VERBOSE: Exporting cmdlet 'Remove-AzureADApplicationProxyConnectorGroup'.
VERBOSE: Exporting cmdlet 'Set-AzureADApplicationProxyConnectorGroup'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSApplicationVerifiedPublisher'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSApplicationVerifiedPublisher'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSAuthorizationPolicy'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSAuthorizationPolicy'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSGroupPermissionGrant'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSPermissionGrantConditionSet'.
VERBOSE: Exporting cmdlet 'New-AzureADMSPermissionGrantConditionSet'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSPermissionGrantConditionSet'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSPermissionGrantConditionSet'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSPermissionGrantPolicy'.
VERBOSE: Exporting cmdlet 'New-AzureADMSPermissionGrantPolicy'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSPermissionGrantPolicy'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSPermissionGrantPolicy'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSRoleAssignment'.
VERBOSE: Exporting cmdlet 'New-AzureADMSRoleAssignment'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSRoleAssignment'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSRoleDefinition'.
VERBOSE: Exporting cmdlet 'New-AzureADMSRoleDefinition'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSRoleDefinition'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSRoleDefinition'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSConditionalAccessPolicy'.
VERBOSE: Exporting cmdlet 'New-AzureADMSConditionalAccessPolicy'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSConditionalAccessPolicy'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSConditionalAccessPolicy'.
VERBOSE: Exporting cmdlet 'Add-AzureADMSServicePrincipalDelegatedPermissionClassification'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSServicePrincipalDelegatedPermissionClassification'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSServicePrincipalDelegatedPermissionClassification'.
VERBOSE: Exporting cmdlet 'Add-AzureADMSLifecyclePolicyGroup'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSGroupLifecyclePolicy'.
VERBOSE: Exporting cmdlet 'New-AzureADMSGroupLifecyclePolicy'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSGroupLifecyclePolicy'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSLifecyclePolicyGroup'.
VERBOSE: Exporting cmdlet 'Reset-AzureADMSLifeCycleGroup'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSGroupLifecyclePolicy'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSIdentityProvider'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSIdentityProvider'.
VERBOSE: Exporting cmdlet 'New-AzureADMSIdentityProvider'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSIdentityProvider'.
VERBOSE: Exporting cmdlet 'New-AzureADMSInvitation'.
VERBOSE: Exporting cmdlet 'Add-AzureADMSAdministrativeUnitMember'.
VERBOSE: Exporting cmdlet 'Add-AzureADMSScopedRoleMembership'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSAdministrativeUnit'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSAdministrativeUnitMember'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSScopedRoleMembership'.
VERBOSE: Exporting cmdlet 'New-AzureADMSAdministrativeUnit'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSAdministrativeUnit'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSAdministrativeUnitMember'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSScopedRoleMembership'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSAdministrativeUnit'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSDeletedGroup'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSDeletedDirectoryObject'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSDeletedDirectoryObject'.
VERBOSE: Exporting cmdlet 'Restore-AzureADMSDeletedDirectoryObject'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSLifecyclePolicyGroup'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSGroup'.
VERBOSE: Exporting cmdlet 'New-AzureADMSGroup'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSGroup'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSGroup'.
VERBOSE: Exporting cmdlet 'Get-AzureADMSNamedLocationPolicy'.
VERBOSE: Exporting cmdlet 'New-AzureADMSNamedLocationPolicy'.
VERBOSE: Exporting cmdlet 'Remove-AzureADMSNamedLocationPolicy'.
VERBOSE: Exporting cmdlet 'Set-AzureADMSNamedLocationPolicy'.
VERBOSE: Exporting cmdlet 'New-AzureADApplicationProxyApplication'.
VERBOSE: Exporting cmdlet 'Remove-AzureADApplicationProxyApplication'.
VERBOSE: Exporting cmdlet 'Set-AzureADApplicationProxyApplication'.
VERBOSE: Exporting cmdlet 'Set-AzureADApplicationProxyApplicationConnectorGroup'.
VERBOSE: Exporting cmdlet 'Set-AzureADApplicationProxyApplicationCustomDomainCertificate'.
VERBOSE: Exporting cmdlet 'Set-AzureADApplicationProxyApplicationSingleSignOn'.
VERBOSE: Exporting cmdlet 'Set-AzureADApplicationProxyConnector'.
VERBOSE: Exporting cmdlet 'Get-AzureADApplicationProxyConnectorGroup'.
VERBOSE: Exporting alias 'Get-AzureADApplicationProxyConnectorGroupMembers'.
VERBOSE: Importing cmdlet 'Add-AzureADApplicationOwner'.
VERBOSE: Importing cmdlet 'Add-AzureADDeviceRegisteredOwner'.
VERBOSE: Importing cmdlet 'Add-AzureADDeviceRegisteredUser'.
VERBOSE: Importing cmdlet 'Add-AzureADDirectoryRoleMember'.
VERBOSE: Importing cmdlet 'Add-AzureADGroupMember'.
VERBOSE: Importing cmdlet 'Add-AzureADGroupOwner'.
VERBOSE: Importing cmdlet 'Add-AzureADMSAdministrativeUnitMember'.
VERBOSE: Importing cmdlet 'Add-AzureADMSApplicationOwner'.
VERBOSE: Importing cmdlet 'Add-AzureADMSLifecyclePolicyGroup'.
VERBOSE: Importing cmdlet 'Add-AzureADMSScopedRoleMembership'.
VERBOSE: Importing cmdlet 'Add-AzureADMSServicePrincipalDelegatedPermissionClassification'.
VERBOSE: Importing cmdlet 'Add-AzureADServicePrincipalOwner'.
VERBOSE: Importing cmdlet 'Confirm-AzureADDomain'.
VERBOSE: Importing cmdlet 'Connect-AzureAD'.
VERBOSE: Importing cmdlet 'Disconnect-AzureAD'.
VERBOSE: Importing cmdlet 'Enable-AzureADDirectoryRole'.
VERBOSE: Importing cmdlet 'Get-AzureADApplication'.
VERBOSE: Importing cmdlet 'Get-AzureADApplicationExtensionProperty'.
VERBOSE: Importing cmdlet 'Get-AzureADApplicationKeyCredential'.
VERBOSE: Importing cmdlet 'Get-AzureADApplicationLogo'.
VERBOSE: Importing cmdlet 'Get-AzureADApplicationOwner'.
VERBOSE: Importing cmdlet 'Get-AzureADApplicationPasswordCredential'.
VERBOSE: Importing cmdlet 'Get-AzureADApplicationProxyApplication'.
VERBOSE: Importing cmdlet 'Get-AzureADApplicationProxyApplicationConnectorGroup'.
VERBOSE: Importing cmdlet 'Get-AzureADApplicationProxyConnector'.
VERBOSE: Importing cmdlet 'Get-AzureADApplicationProxyConnectorGroup'.
VERBOSE: Importing cmdlet 'Get-AzureADApplicationProxyConnectorGroupMember'.
VERBOSE: Importing cmdlet 'Get-AzureADApplicationProxyConnectorMemberOf'.
VERBOSE: Importing cmdlet 'Get-AzureADApplicationServiceEndpoint'.
VERBOSE: Importing cmdlet 'Get-AzureADContact'.
VERBOSE: Importing cmdlet 'Get-AzureADContactDirectReport'.
VERBOSE: Importing cmdlet 'Get-AzureADContactManager'.
VERBOSE: Importing cmdlet 'Get-AzureADContactMembership'.
VERBOSE: Importing cmdlet 'Get-AzureADContactThumbnailPhoto'.
VERBOSE: Importing cmdlet 'Get-AzureADContract'.
VERBOSE: Importing cmdlet 'Get-AzureADCurrentSessionInfo'.
VERBOSE: Importing cmdlet 'Get-AzureADDeletedApplication'.
VERBOSE: Importing cmdlet 'Get-AzureADDevice'.
VERBOSE: Importing cmdlet 'Get-AzureADDeviceConfiguration'.
VERBOSE: Importing cmdlet 'Get-AzureADDeviceRegisteredOwner'.
VERBOSE: Importing cmdlet 'Get-AzureADDeviceRegisteredUser'.
VERBOSE: Importing cmdlet 'Get-AzureADDirectoryRole'.
VERBOSE: Importing cmdlet 'Get-AzureADDirectoryRoleMember'.
VERBOSE: Importing cmdlet 'Get-AzureADDirectoryRoleTemplate'.
VERBOSE: Importing cmdlet 'Get-AzureADDomain'.
VERBOSE: Importing cmdlet 'Get-AzureADDomainNameReference'.
VERBOSE: Importing cmdlet 'Get-AzureADDomainServiceConfigurationRecord'.
VERBOSE: Importing cmdlet 'Get-AzureADDomainVerificationDnsRecord'.
VERBOSE: Importing cmdlet 'Get-AzureADExtensionProperty'.
VERBOSE: Importing cmdlet 'Get-AzureADGroup'.
VERBOSE: Importing cmdlet 'Get-AzureADGroupAppRoleAssignment'.
VERBOSE: Importing cmdlet 'Get-AzureADGroupMember'.
VERBOSE: Importing cmdlet 'Get-AzureADGroupOwner'.
VERBOSE: Importing cmdlet 'Get-AzureADMSAdministrativeUnit'.
VERBOSE: Importing cmdlet 'Get-AzureADMSAdministrativeUnitMember'.
VERBOSE: Importing cmdlet 'Get-AzureADMSApplication'.
VERBOSE: Importing cmdlet 'Get-AzureADMSApplicationExtensionProperty'.
VERBOSE: Importing cmdlet 'Get-AzureADMSApplicationOwner'.
VERBOSE: Importing cmdlet 'Get-AzureADMSAuthorizationPolicy'.
VERBOSE: Importing cmdlet 'Get-AzureADMSConditionalAccessPolicy'.
VERBOSE: Importing cmdlet 'Get-AzureADMSDeletedDirectoryObject'.
VERBOSE: Importing cmdlet 'Get-AzureADMSDeletedGroup'.
VERBOSE: Importing cmdlet 'Get-AzureADMSGroup'.
VERBOSE: Importing cmdlet 'Get-AzureADMSGroupLifecyclePolicy'.
VERBOSE: Importing cmdlet 'Get-AzureADMSGroupPermissionGrant'.
VERBOSE: Importing cmdlet 'Get-AzureADMSIdentityProvider'.
VERBOSE: Importing cmdlet 'Get-AzureADMSLifecyclePolicyGroup'.
VERBOSE: Importing cmdlet 'Get-AzureADMSNamedLocationPolicy'.
VERBOSE: Importing cmdlet 'Get-AzureADMSPermissionGrantConditionSet'.
VERBOSE: Importing cmdlet 'Get-AzureADMSPermissionGrantPolicy'.
VERBOSE: Importing cmdlet 'Get-AzureADMSRoleAssignment'.
VERBOSE: Importing cmdlet 'Get-AzureADMSRoleDefinition'.
VERBOSE: Importing cmdlet 'Get-AzureADMSScopedRoleMembership'.
VERBOSE: Importing cmdlet 'Get-AzureADMSServicePrincipalDelegatedPermissionClassification'.
VERBOSE: Importing cmdlet 'Get-AzureADOAuth2PermissionGrant'.
VERBOSE: Importing cmdlet 'Get-AzureADObjectByObjectId'.
VERBOSE: Importing cmdlet 'Get-AzureADServiceAppRoleAssignedTo'.
VERBOSE: Importing cmdlet 'Get-AzureADServiceAppRoleAssignment'.
VERBOSE: Importing cmdlet 'Get-AzureADServicePrincipal'.
VERBOSE: Importing cmdlet 'Get-AzureADServicePrincipalCreatedObject'.
VERBOSE: Importing cmdlet 'Get-AzureADServicePrincipalKeyCredential'.
VERBOSE: Importing cmdlet 'Get-AzureADServicePrincipalMembership'.
VERBOSE: Importing cmdlet 'Get-AzureADServicePrincipalOAuth2PermissionGrant'.
VERBOSE: Importing cmdlet 'Get-AzureADServicePrincipalOwnedObject'.
VERBOSE: Importing cmdlet 'Get-AzureADServicePrincipalOwner'.
VERBOSE: Importing cmdlet 'Get-AzureADServicePrincipalPasswordCredential'.
VERBOSE: Importing cmdlet 'Get-AzureADSubscribedSku'.
VERBOSE: Importing cmdlet 'Get-AzureADTenantDetail'.
VERBOSE: Importing cmdlet 'Get-AzureADTrustedCertificateAuthority'.
VERBOSE: Importing cmdlet 'Get-AzureADUser'.
VERBOSE: Importing cmdlet 'Get-AzureADUserAppRoleAssignment'.
VERBOSE: Importing cmdlet 'Get-AzureADUserCreatedObject'.
VERBOSE: Importing cmdlet 'Get-AzureADUserDirectReport'.
VERBOSE: Importing cmdlet 'Get-AzureADUserExtension'.
VERBOSE: Importing cmdlet 'Get-AzureADUserLicenseDetail'.
VERBOSE: Importing cmdlet 'Get-AzureADUserManager'.
VERBOSE: Importing cmdlet 'Get-AzureADUserMembership'.
VERBOSE: Importing cmdlet 'Get-AzureADUserOAuth2PermissionGrant'.
VERBOSE: Importing cmdlet 'Get-AzureADUserOwnedDevice'.
VERBOSE: Importing cmdlet 'Get-AzureADUserOwnedObject'.
VERBOSE: Importing cmdlet 'Get-AzureADUserRegisteredDevice'.
VERBOSE: Importing cmdlet 'Get-AzureADUserThumbnailPhoto'.
VERBOSE: Importing cmdlet 'Get-CrossCloudVerificationCode'.
VERBOSE: Importing cmdlet 'New-AzureADApplication'.
VERBOSE: Importing cmdlet 'New-AzureADApplicationExtensionProperty'.
VERBOSE: Importing cmdlet 'New-AzureADApplicationKeyCredential'.
VERBOSE: Importing cmdlet 'New-AzureADApplicationPasswordCredential'.
VERBOSE: Importing cmdlet 'New-AzureADApplicationProxyApplication'.
VERBOSE: Importing cmdlet 'New-AzureADApplicationProxyConnectorGroup'.
VERBOSE: Importing cmdlet 'New-AzureADDevice'.
VERBOSE: Importing cmdlet 'New-AzureADDomain'.
VERBOSE: Importing cmdlet 'New-AzureADGroup'.
VERBOSE: Importing cmdlet 'New-AzureADGroupAppRoleAssignment'.
VERBOSE: Importing cmdlet 'New-AzureADMSAdministrativeUnit'.
VERBOSE: Importing cmdlet 'New-AzureADMSApplication'.
VERBOSE: Importing cmdlet 'New-AzureADMSApplicationExtensionProperty'.
VERBOSE: Importing cmdlet 'New-AzureADMSApplicationKey'.
VERBOSE: Importing cmdlet 'New-AzureADMSApplicationPassword'.
VERBOSE: Importing cmdlet 'New-AzureADMSConditionalAccessPolicy'.
VERBOSE: Importing cmdlet 'New-AzureADMSGroup'.
VERBOSE: Importing cmdlet 'New-AzureADMSGroupLifecyclePolicy'.
VERBOSE: Importing cmdlet 'New-AzureADMSIdentityProvider'.
VERBOSE: Importing cmdlet 'New-AzureADMSInvitation'.
VERBOSE: Importing cmdlet 'New-AzureADMSNamedLocationPolicy'.
VERBOSE: Importing cmdlet 'New-AzureADMSPermissionGrantConditionSet'.
VERBOSE: Importing cmdlet 'New-AzureADMSPermissionGrantPolicy'.
VERBOSE: Importing cmdlet 'New-AzureADMSRoleAssignment'.
VERBOSE: Importing cmdlet 'New-AzureADMSRoleDefinition'.
VERBOSE: Importing cmdlet 'New-AzureADServiceAppRoleAssignment'.
VERBOSE: Importing cmdlet 'New-AzureADServicePrincipal'.
VERBOSE: Importing cmdlet 'New-AzureADServicePrincipalKeyCredential'.
VERBOSE: Importing cmdlet 'New-AzureADServicePrincipalPasswordCredential'.
VERBOSE: Importing cmdlet 'New-AzureADTrustedCertificateAuthority'.
VERBOSE: Importing cmdlet 'New-AzureADUser'.
VERBOSE: Importing cmdlet 'New-AzureADUserAppRoleAssignment'.
VERBOSE: Importing cmdlet 'Remove-AzureADApplication'.
VERBOSE: Importing cmdlet 'Remove-AzureADApplicationExtensionProperty'.
VERBOSE: Importing cmdlet 'Remove-AzureADApplicationKeyCredential'.
VERBOSE: Importing cmdlet 'Remove-AzureADApplicationOwner'.
VERBOSE: Importing cmdlet 'Remove-AzureADApplicationPasswordCredential'.
VERBOSE: Importing cmdlet 'Remove-AzureADApplicationProxyApplication'.
VERBOSE: Importing cmdlet 'Remove-AzureADApplicationProxyApplicationConnectorGroup'.
VERBOSE: Importing cmdlet 'Remove-AzureADApplicationProxyConnectorGroup'.
VERBOSE: Importing cmdlet 'Remove-AzureADContact'.
VERBOSE: Importing cmdlet 'Remove-AzureADContactManager'.
VERBOSE: Importing cmdlet 'Remove-AzureADDeletedApplication'.
VERBOSE: Importing cmdlet 'Remove-AzureADDevice'.
VERBOSE: Importing cmdlet 'Remove-AzureADDeviceRegisteredOwner'.
VERBOSE: Importing cmdlet 'Remove-AzureADDeviceRegisteredUser'.
VERBOSE: Importing cmdlet 'Remove-AzureADDirectoryRoleMember'.
VERBOSE: Importing cmdlet 'Remove-AzureADDomain'.
VERBOSE: Importing cmdlet 'Remove-AzureADGroup'.
VERBOSE: Importing cmdlet 'Remove-AzureADGroupAppRoleAssignment'.
VERBOSE: Importing cmdlet 'Remove-AzureADGroupMember'.
VERBOSE: Importing cmdlet 'Remove-AzureADGroupOwner'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSAdministrativeUnit'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSAdministrativeUnitMember'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSApplication'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSApplicationExtensionProperty'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSApplicationKey'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSApplicationOwner'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSApplicationPassword'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSApplicationVerifiedPublisher'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSConditionalAccessPolicy'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSDeletedDirectoryObject'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSGroup'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSGroupLifecyclePolicy'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSIdentityProvider'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSLifecyclePolicyGroup'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSNamedLocationPolicy'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSPermissionGrantConditionSet'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSPermissionGrantPolicy'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSRoleAssignment'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSRoleDefinition'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSScopedRoleMembership'.
VERBOSE: Importing cmdlet 'Remove-AzureADMSServicePrincipalDelegatedPermissionClassification'.
VERBOSE: Importing cmdlet 'Remove-AzureADOAuth2PermissionGrant'.
VERBOSE: Importing cmdlet 'Remove-AzureADServiceAppRoleAssignment'.
VERBOSE: Importing cmdlet 'Remove-AzureADServicePrincipal'.
VERBOSE: Importing cmdlet 'Remove-AzureADServicePrincipalKeyCredential'.
VERBOSE: Importing cmdlet 'Remove-AzureADServicePrincipalOwner'.
VERBOSE: Importing cmdlet 'Remove-AzureADServicePrincipalPasswordCredential'.
VERBOSE: Importing cmdlet 'Remove-AzureADTrustedCertificateAuthority'.
VERBOSE: Importing cmdlet 'Remove-AzureADUser'.
VERBOSE: Importing cmdlet 'Remove-AzureADUserAppRoleAssignment'.
VERBOSE: Importing cmdlet 'Remove-AzureADUserExtension'.
VERBOSE: Importing cmdlet 'Remove-AzureADUserManager'.
VERBOSE: Importing cmdlet 'Reset-AzureADMSLifeCycleGroup'.
VERBOSE: Importing cmdlet 'Restore-AzureADDeletedApplication'.
VERBOSE: Importing cmdlet 'Restore-AzureADMSDeletedDirectoryObject'.
VERBOSE: Importing cmdlet 'Revoke-AzureADSignedInUserAllRefreshToken'.
VERBOSE: Importing cmdlet 'Revoke-AzureADUserAllRefreshToken'.
VERBOSE: Importing cmdlet 'Select-AzureADGroupIdsContactIsMemberOf'.
VERBOSE: Importing cmdlet 'Select-AzureADGroupIdsGroupIsMemberOf'.
VERBOSE: Importing cmdlet 'Select-AzureADGroupIdsServicePrincipalIsMemberOf'.
VERBOSE: Importing cmdlet 'Select-AzureADGroupIdsUserIsMemberOf'.
VERBOSE: Importing cmdlet 'Set-AzureADApplication'.
VERBOSE: Importing cmdlet 'Set-AzureADApplicationLogo'.
VERBOSE: Importing cmdlet 'Set-AzureADApplicationProxyApplication'.
VERBOSE: Importing cmdlet 'Set-AzureADApplicationProxyApplicationConnectorGroup'.
VERBOSE: Importing cmdlet 'Set-AzureADApplicationProxyApplicationCustomDomainCertificate'.
VERBOSE: Importing cmdlet 'Set-AzureADApplicationProxyApplicationSingleSignOn'.
VERBOSE: Importing cmdlet 'Set-AzureADApplicationProxyConnector'.
VERBOSE: Importing cmdlet 'Set-AzureADApplicationProxyConnectorGroup'.
VERBOSE: Importing cmdlet 'Set-AzureADDevice'.
VERBOSE: Importing cmdlet 'Set-AzureADDomain'.
VERBOSE: Importing cmdlet 'Set-AzureADGroup'.
VERBOSE: Importing cmdlet 'Set-AzureADMSAdministrativeUnit'.
VERBOSE: Importing cmdlet 'Set-AzureADMSApplication'.
VERBOSE: Importing cmdlet 'Set-AzureADMSApplicationLogo'.
VERBOSE: Importing cmdlet 'Set-AzureADMSApplicationVerifiedPublisher'.
VERBOSE: Importing cmdlet 'Set-AzureADMSAuthorizationPolicy'.
VERBOSE: Importing cmdlet 'Set-AzureADMSConditionalAccessPolicy'.
VERBOSE: Importing cmdlet 'Set-AzureADMSGroup'.
VERBOSE: Importing cmdlet 'Set-AzureADMSGroupLifecyclePolicy'.
VERBOSE: Importing cmdlet 'Set-AzureADMSIdentityProvider'.
VERBOSE: Importing cmdlet 'Set-AzureADMSNamedLocationPolicy'.
VERBOSE: Importing cmdlet 'Set-AzureADMSPermissionGrantConditionSet'.
VERBOSE: Importing cmdlet 'Set-AzureADMSPermissionGrantPolicy'.
VERBOSE: Importing cmdlet 'Set-AzureADMSRoleDefinition'.
VERBOSE: Importing cmdlet 'Set-AzureADServicePrincipal'.
VERBOSE: Importing cmdlet 'Set-AzureADTenantDetail'.
VERBOSE: Importing cmdlet 'Set-AzureADTrustedCertificateAuthority'.
VERBOSE: Importing cmdlet 'Set-AzureADUser'.
VERBOSE: Importing cmdlet 'Set-AzureADUserExtension'.
VERBOSE: Importing cmdlet 'Set-AzureADUserLicense'.
VERBOSE: Importing cmdlet 'Set-AzureADUserManager'.
VERBOSE: Importing cmdlet 'Set-AzureADUserPassword'.
VERBOSE: Importing cmdlet 'Set-AzureADUserThumbnailPhoto'.
VERBOSE: Importing cmdlet 'Update-AzureADSignedInUserPassword'.
VERBOSE: Importing alias 'Get-AzureADApplicationProxyConnectorGroupMembers'.
VERBOSE: Found AAD user '[email protected]' for SID S-1-5-21-2488401269-1895120637-1421044794-9150
VERBOSE: CheckSidHasAadUser - SUCCESS
VERBOSE: CheckAadUserHasSid - START
VERBOSE: Missing required parameter ObjectId for CheckAadUserHasSid requires ObjectId parameter to be present, skipping
 CheckAadUserHasSid
VERBOSE: CheckStorageAccountDomainJoined - START
VERBOSE: Found storage Account 'netsecfileshares' in Resource Group 'rg-FileShare-Test-EastUs-1'
VERBOSE: Storage account netsecfileshares is already joined in domain corp.netsec.com.
VERBOSE: CheckStorageAccountDomainJoined - SUCCESS
VERBOSE: CheckUserRbacAssignment - START
VERBOSE: Populating RepositorySourceLocation property for module AzureAD.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\AzureAD\2.0.2.140\Microsoft.Open.Azure.AD.CommonLibrary.dll'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\AzureAD\2.0.2.140\Microsoft.Open.AzureAD16.Graph.PowerShell.Custom.dll'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\AzureAD\2.0.2.140\Microsoft.Open.AzureAD16.Graph.Client.dll'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\AzureAD\2.0.2.140\Microsoft.Open.MS.GraphV10.PowerShell.dll'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\AzureAD\2.0.2.140\Microsoft.Open.MS.GraphV10.PowerShell.Custom.dll'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\AzureAD\2.0.2.140\Microsoft.Open.MS.GraphV10.Client.dll'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\AzureAD\2.0.2.140\Microsoft.Open.AzureAD16.Graph.PowerShell.dll'.
VERBOSE: Look up user jon in domain corp.netsec.com
VERBOSE: Look up groups of user S-1-5-21-2488401269-1895120637-1421044794-9150 in domain corp.netsec.com
Debug-AzStorageAccountAuth : CheckUserRbacAssignment - FAILED
At line:1 char:1
+ Debug-AzStorageAccountAuth -StorageAccountName netsecfileshares -Resourc ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Debug-AzStorageAccountAuth
Debug-AzStorageAccountAuth : The server is not operational
At line:1 char:1
+ Debug-AzStorageAccountAuth -StorageAccountName netsecfileshares -Resourc ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Debug-AzStorageAccountAuth
VERBOSE: CheckUserFileAccess - START
VERBOSE: Missing required parameter FilePath for CheckUserFileAccess, skipping CheckUserFileAccess
Summary of checks:


Name                            Result
----                            ------
CheckDomainJoined               Passed
CheckGetKerberosTicket          Passed
CheckUserRbacAssignment         Failed
CheckAadUserHasSid              Skipped
CheckADObjectPasswordIsCorrect  Passed
CheckADObject                   Passed
CheckUserFileAccess             Skipped
CheckPort445Connectivity        Passed
CheckStorageAccountDomainJoined Passed
CheckSidHasAadUser              Passed

Issues found:
---- CheckUserRbacAssignment ----
The server is not operational
PS C:\temp\jy\AzFilesHybrid>


Once this step completed successfully, you should be able to see file shares has been configured with Active Directory.



AD Connect Installation and Configuration

Please refer this post for Azure AD connect installation and configuration. 


Hybrid Azure AD Joined Device Configuration

It is an optional configuration to enable Hybrid Azure AD Joined Device in AD connect

Choose Configuredevice options to start configuring Hybrid joined device configuration. 

List of additional tasks

You will need a global admin account to log into Azure AD. Also you will need a local ad account which is part of enterprise admins group to log into local AD.




Make sure account (admin1) is joined into enterprise admins group




Also make sure you synced computers and users into AAD using Customize Synchronization Options from AD connect.




Verification Hybrid Joined Devices.

After a couple of minutes, check your AD joined machine to see if AAD joined enabled. 

  • from command line
  • from AAD devices



Before enabled Hybrid Joined Device:

C:\Users\test1>dsregcmd /status +----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+ AzureAdJoined : NO
EnterpriseJoined : NO
DomainJoined : YES
DomainName : 51SEC
Device Name : win11-51sec-1.51sec.corp +----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+ NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : NO +----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+ AzureAdPrt : NO
AzureAdPrtAuthority : NO
EnterprisePrt : NO
EnterprisePrtAuthority : NO +----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+ Diagnostics Reference : www.microsoft.com/aadjerrors
User Context : UN-ELEVATED User
Client Time : 2022-03-28 02:27:38.000 UTC
AD Connectivity Test : PASS
AD Configuration Test : FAIL [0x80070005]
DRS Discovery Test : SKIPPED
DRS Connectivity Test : SKIPPED
Token acquisition Test : SKIPPED
Fallback to Sync-Join : ENABLED Previous Registration : 2022-03-28 02:04:01.000 UTC
Registration Type : sync
Error Phase : join
Client ErrorCode : 0x801c03f3
Server ErrorCode : invalid_request
Server ErrorSubCode : error_missing_device
Server Operation : DeviceRenew
Server Message : The device object by the given id (ca565a27-6db8-4a55-9e5e-d96427e8cd2e) is not found.
Https Status : 400
Request Id : 04bb2d88-30f9-44cc-a456-d84ca34dcf16
Executing Account Name : WIN11-51SEC-1\test1 +----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+ Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List : +----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+ Access Type : DIRECT +----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+ IsDeviceJoined : NO
IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision For more information, please visit https://www.microsoft.com/aadjerrors
C:\Users\test1>


After enabled Hybrid Joined Device:

C:\Users\test1>dsregcmd /status
+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+
             AzureAdJoined : YES
          EnterpriseJoined : NO
              DomainJoined : YES
                DomainName : 51SEC
               Device Name : win11-51sec-1.51sec.corp
+----------------------------------------------------------------------+
| Device Details                                                       |
+----------------------------------------------------------------------+
                  DeviceId : ca565a27-6db8-4a55-9e5e-d96427e8cd2e
                Thumbprint : 014E8C97B0A2553E6B32F3A03B7C931F290A3652
 DeviceCertificateValidity : [ 2022-03-28 01:57:43.000 UTC -- 2032-03-28 02:27:43.000 UTC ]
            KeyContainerId : 7eacafad-c157-472f-8834-f011bafa97c3
               KeyProvider : Microsoft Platform Crypto Provider
              TpmProtected : YES
          DeviceAuthStatus : SUCCESS
+----------------------------------------------------------------------+
| Tenant Details                                                       |
+----------------------------------------------------------------------+
                TenantName :
                  TenantId : 8ed8617a-5de3-44d8-a8f4-737c89fa9bbc
               AuthCodeUrl : https://login.microsoftonline.com/8ed8617a-5de3-44d8-a8f4-737c89fa9bbc/oauth2/authorize
            AccessTokenUrl : https://login.microsoftonline.com/8ed8617a-5de3-44d8-a8f4-737c89fa9bbc/oauth2/token
                    MdmUrl :
                 MdmTouUrl :
          MdmComplianceUrl :
               SettingsUrl :
            JoinSrvVersion : 2.0
                JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
                 JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
             KeySrvVersion : 1.0
                 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
                  KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
        WebAuthNSrvVersion : 1.0
            WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/8ed8617a-5de3-44d8-a8f4-737c89fa9bbc/
             WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
    DeviceManagementSrvVer : 1.0
    DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/8ed8617a-5de3-44d8-a8f4-737c89fa9bbc/
     DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net
+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+
                    NgcSet : NO
           WorkplaceJoined : NO
             WamDefaultSet : NO
+----------------------------------------------------------------------+
| SSO State                                                            |
+----------------------------------------------------------------------+
                AzureAdPrt : NO
       AzureAdPrtAuthority :
             EnterprisePrt : NO
    EnterprisePrtAuthority :
+----------------------------------------------------------------------+
| Diagnostic Data                                                      |
+----------------------------------------------------------------------+
        AadRecoveryEnabled : NO
    Executing Account Name : WIN11-51SEC-1\test1
               KeySignTest : PASSED
+----------------------------------------------------------------------+
| IE Proxy Config for Current User                                     |
+----------------------------------------------------------------------+
      Auto Detect Settings : YES
    Auto-Configuration URL :
         Proxy Server List :
         Proxy Bypass List :
+----------------------------------------------------------------------+
| WinHttp Default Proxy Config                                         |
+----------------------------------------------------------------------+
               Access Type : DIRECT
+----------------------------------------------------------------------+
| Ngc Prerequisite Check                                               |
+----------------------------------------------------------------------+
            IsDeviceJoined : YES
             IsUserAzureAD : NO
             PolicyEnabled : NO
          PostLogonEnabled : YES
            DeviceEligible : YES
        SessionIsNotRemote : YES
            CertEnrollment : none
              PreReqResult : WillNotProvision
For more information, please visit https://www.microsoft.com/aadjerrors
C:\Users\test1>

Now , you should be able to log into your computer using your email address.
\



Windows Client Configuration

Please make sure your Windows client machine joined local AD DS. 


If your Windows client machine is not having direct connection to your local AD DC, you will need a vpn to connect back to your AD DC. 

There is a challenge to get your remote workgroup machine to join into your local onprem AD, even with VPN installed and connected. 

Before you log in to your machine using your AD account, you will have to log in your machine using local admin account and shift right click an application to open it using a different user. That will allow system to create a Domain user profile to allow this domain user to log in without a connection to AD DC.

Following screenshot is an example of CMD application.



Azure Point to Site  (P2S) VPN Configuration

If your Internet ISP blocked port 445, you will need to create a Azure VPN Gateway to create a tunnel to have your client machine connecting to your File Shares. You might also need to create private end point for your storage account. 



In addition to the default public endpoint for a storage account, Azure Files provides the option to have one or more private endpoints. A private endpoint is an endpoint that is only accessible within an Azure virtual network. When you create a private endpoint for your storage account, your storage account gets a private IP address from within the address space of your virtual network, much like how an on-premises file server or NAS device receives an IP address within the dedicated address space of your on-premises network.

An individual private endpoint is associated with a specific Azure virtual network subnet. A storage account may have private endpoints in more than one virtual network.


Please refer following post to configure your P2S VPN.


Notes


For Azure File Shares, you can only choose your Active Diretory source either from local AD DS or from Azure AD DS. Following screenshot is an example which enabled to intergrate with local AD DS



No comments